CVE-2025-30154 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-03-19

Added to CISA KEV: 2025-03-24 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review GitHub Actions workflow logs from March 11, 2025 (18:42-20:31 UTC) for any secret dumps or unauthorized access
Immediately audit all secrets and tokens that may have been exposed in affected workflow runs
Rotate all potentially compromised secrets, API keys, and access tokens
Review and update GitHub Actions to use pinned versions or verified sources
Implement GitHub Actions security scanning and supply chain monitoring
Consider using GitHub's OIDC tokens instead of long-lived secrets where possible

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-30154 is a critical supply chain vulnerability involving the compromise of the `reviewdog/action-setup@v1` GitHub Action?id=CVE-2025-30154?kagi_q=CVE-2025-30154.

Overview and Impact

Nature of Vulnerability: This was a supply chain compromise where malicious code was injected into the `reviewdog/action-setup@v1` GitHub Action?id=CVE-2025-30154?kagi_q=CVE-2025-30154.
Impact: The malicious code was designed to exfiltrate (dump) exposed secrets from the environment to GitHub Actions Workflow Logs, where they could be accessed by unauthorized parties ^[2].
Severity: It carries a CVSS score of 8.6 (HIGH) ^[2].

Exploitation Details

Active Exploitation: The vulnerability was actively exploited in the wild, leading CISA to add it to its Known Exploited Vulnerabilities (KEV) Catalog in March 2025 ^[3].
Timeline: The compromise occurred on March 11, 2025, between 18:42 and 20:31 UTC?id=CVE-2025-30154?kagi_q=CVE-2025-30154.
Attack Method: This was a supply chain attack. Users who utilized the compromised version of the action in their CI/CD pipelines automatically pulled and executed the malicious code during their workflow runs ^[1].
Requirements: No specific user interaction was required beyond the standard execution of the affected GitHub Action within a workflow.

Targeted Attacks and Ransomware

While the incident was a widespread supply chain compromise affecting numerous repositories, there is no specific public evidence linking this vulnerability to established ransomware campaigns. However, the exposure of secrets (such as API keys, cloud credentials, or deployment tokens) provides attackers with the necessary access to perform follow-on targeted attacks, lateral movement, or data theft within the affected organizations' infrastructure ^[1].

Affected Versions and Mitigation

Affected Product: `reviewdog/action-setup@v1` ^[4].
Status: The compromise was limited to the specific timeframe on March 11, 2025. Users who utilized the action during this window are advised to assume that any secrets present in their environment at that time may have been compromised.
Mitigation: The primary mitigation is to rotate all secrets that were available to the GitHub Actions environment during the period of the compromise ^[1]. Organizations should also audit their workflow logs for signs of unauthorized access or data exfiltration.

Sources

CVE-2025-30154 - Major Reviewdog GitHub Action Supply Chain Compromise ...
CVE-2025-30154 - Major Reviewdog GitHub Action Supply Chain Compromise – Full Timeline, Exploit Analysis, and Mitigation --- On March 11, 2025, a critical security incident struck the open source developer world: the popular reviewdog/action-setup GitHub Action was compromised, putting secrets and w…
NVD - CVE-2025-30154
A GitHub action that installs reviewdog was compromised with malicious code that dumps secrets to Github Actions Workflow Logs. The vulnerability affects multiple reviewdog actions and has a CVSS score of 8.6 (HIGH).
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-30154…
CVE-2025-30154 - GitHub Advisory Database
A GitHub Action was compromised on March 11, 2025, and exposed secrets to Github Actions Workflow Logs. The vulnerability affects multiple Reviewdog actions that use reviewdog/action-setup@v1 and has a CVSS score of 8.6.

🟢 CVE-2025-30154